Cybersecurity for CFOs: What You Really Need to Know

TLDR
Cyber risk is now clearly business risk, but most CFOs sit in security meetings and do not understand half the report. That is not a failure of the CFO, but a communications problem. What you really need to know: your specific financial exposure, how to assess security spending like a risk investment, and which five questions you should ask your IT team. This article gives you exactly that, without any firewall explanations.

"How much do we spend on IT security?"

"CHF 350'000."

"Is that enough?"

"...Yes?"

This conversation happens at almost every executive meeting. And nobody knows whether the answer is right.

The CFO asks, rightly so. They share responsibility for the company's financial risk. The IT manager or CISO answers, to the best of their knowledge. But both are talking past each other. One thinks in threat scenarios and attack vectors, the other in exposure, budget allocation, and risk reduction.

The result: no one makes a truly informed decision.

We see this regularly in our work with Swiss SMEs and mid-market companies. And the honest truth is: the problem is not with the CFO. It is that cybersecurity is still communicated as a technical topic, even though it is already a financial one.

This article changes that. No jargon, no firewall explanations, no SIEM alphabet soup. Only what you as a CFO really need to make good decisions.

What you do not need to know as a CFO

Briefly upfront, because it matters.

You do not need to understand how an Intrusion Detection System works. You do not need an opinion on Endpoint Protection Platforms. And you also do not need to decide which SIEM tool the company uses.

That is the job of your CISO or IT manager. They are supposed to be technology experts.

What you need is the ability to ask the right questions. To understand what an answer means. And to judge whether a budget request makes sense.

That is a different kind of knowledge, and that is exactly what this is about.

What an incident really costs you

That is the starting point most security discussions skip.

When your CISO talks about the "Average Cost of a Data Breach" and mentions USD 4.8 million (a figure that actually appears in industry reports), it sounds abstract. What does that mean for your company specifically?

The relevant calculation looks like this:

Revenue per hour of downtime. If your company generates CHF 50 million in annual revenue, you lose about CHF 270'000 in direct revenue during a 48-hour outage, before you have spent a single franc on recovery.

Notification costs. GDPR and the Swiss Data Protection Act (DSG) require you to inform affected customers and, in many cases, the FDPIC (Federal Data Protection and Information Commissioner). Administrative costs can quickly reach CHF 100-200 per affected person, and you have a lot of customer data.

Legal exposure. GDPR fines can reach up to 4% of global annual revenue. That is not a theoretical threat; European supervisory authorities have significantly tightened their approach in the last two years.

Cyber insurance deductible. Your insurance policy has a deductible. Have you looked at it recently? In Switzerland, typical deductibles range from CHF 50'000 to CHF 250'000. Anyone who does not know this will be surprised when a claim arises.

Reputational damage. Hard to quantify, but real. In practice, B2B companies lose 5-15% of their customer base in the 18 months following a publicly known incident.

Once you have run these numbers concretely for your company, the security budget discussion immediately looks different. Not "350,000, is that a lot?" but "350,000 to reduce a risk with exposure of 3-5 million, does that make sense?"

How to think about security spending like a CFO

Here is the mindset shift that brings the most clarity.

Security spending is not an IT cost. It is a risk investment. Just like business insurance, inventory, or currency hedging.

The concept is called ROSI: Return on Security Investment. The basic formula is simple:

ROSI = (risk reduction in CHF) - (cost of the measure)

Example: A measure costs CHF 80'000 per year and reduces the probability of an incident with expected damage of CHF 2 million from 15% to 5%.

• Without the measure: expected annual loss = CHF 300'000 (15% of 2M)

• With the measure: expected annual loss = CHF 100'000 (5% of 2M)

• Risk reduction: CHF 200'000

• Cost: CHF 80'000

• ROSI: +CHF 120'000

This is not a perfect model; probabilities are always estimates. But it forces the right discussion. Instead of "how much should we spend?" you ask: "Which risks are we reducing, by how much, and what does it cost?"

We described this approach in more detail in a separate article, how to allocate your security budget correctly.

The metrics that matter to you

Security reports are often full of numbers that say nothing. "15,000 blocked attacks last month" sounds impressive. It means nothing.

Here are the metrics that actually say something about your protection status:

Mean Time to Detect (MTTD). How long does it take on average before an attack is detected? Industry standard for well-run companies: under 24 hours. If your team says "several weeks," then you have a problem.

Mean Time to Respond (MTTR). Once an incident is detected, how long until it is contained? Every hour an attacker remains in the system after discovery increases the damage exponentially.

Recovery Time Objective (RTO). If critical systems fail, when are they back up? Do you have a number? Have you ever tested it? (The last question is meant more seriously than it sounds.)

Coverage of critical systems. What percentage of your business-critical systems is covered by active monitoring? 60%? 80%? 100%? That says a lot about how blind you would be in a real emergency.

These four metrics fit on one page. You do not need to know more.

Insurance and investment: these are two different things

A common misunderstanding we encounter in conversations with CFOs: "We have cyber insurance, so we are covered."

Not quite.

Cyber insurance covers residual risk. In other words, what remains after all measures. It is not a substitute for security investments; it is the last safety net.

Also: insurance premiums are based on your security posture. Companies with proven security measures pay significantly less. We have seen clients reduce their premiums by 20-30% through targeted improvements to their security controls. That alone can refinance part of the security investment.

And another point that often surprises people: insurers deny claims if basic standards were not met. "You did not have multi-factor authentication on the affected system," and the claim is already at risk. Cyber insurance policies are becoming more precise and the requirements stricter.

If you do not know what minimum requirements your current policy sets: that is a good first conversation with your CISO.

NIS2 and why you could be personally liable

This is the part that changes the attention in executive meetings.

The EU's NIS2 Directive (Network and Information Security, second version) is to be transposed into national law as of October 2024. Swiss companies that do business in the EU or are part of critical supply chains are affected, whether they know it or not.

What NIS2 means for the CFO:

Personal liability for executives. NIS2 explicitly states that the board and executive management are responsible for appropriate security measures. "IT decided that" is no longer a defense strategy.

Reporting obligations within 24 hours. Significant security incidents must be reported to the competent authority within 24 hours. Failing to do so risks fines.

Risk management requirements. NIS2 requires demonstrable risk management processes. Not just technology, but governance documentation.

GDPR fines are already real. Several large companies are paying eight- or nine-figure penalties in Europe. NIS2 adds another regulatory layer, with more direct responsibility for executive management.

We have written about how cyber risk becomes business risk, and what that means for the governance discussion: Cyber risk as business risk.

The "three buckets" model: where your money goes

When your CISO presents the next budget, you can learn a lot about the quality of the plan with a simple question: "How is the budget distributed between prevention, detection, and response?"

A healthy security budget looks roughly like this:

• Prevention (~50%): Firewalls, access controls, patch management, encryption, awareness training. What prevents attacks.

• Detection (~30%): Monitoring, logging, SIEM systems, anomaly detection. What makes attacks visible.

• Response (~20%): Incident response plans, backup systems, business continuity plans, external IR team. What limits damage if something happens.

If 90% of the budget goes into prevention and zero into response capability: that is a red flag. No system is 100% secure. Anyone who does not invest in response is implicitly planning: "If it happens, we will improvise."

Improvisation during ransomware is expensive. (We wrote a separate article about what is actually cheaper after a ransomware attack, and what is not: What is cheaper after a ransomware attack.)

Three buckets. Simple model. Very good first assessment.

And what does sensible security look like without tool sprawl?

One idea we work through with many clients: more security tools do not mean more security. Often the opposite is true.

Every tool requires configuration, updates, monitoring, and expertise. If your team manages 15 tools, 8 of which are actively maintained, then the other 7 are blind spots.

That sounds counter-intuitive. But we have seen concrete cases where companies, after consolidating from 12 tools to 6, had better visibility and faster response times. Less surface area, more depth.

This is a concept we cover in more detail in our article pragmatic cybersecurity, worth reading if you are preparing the next budget discussion.

The 5 questions you should ask your IT team

This is the practical conclusion. No long summaries. Just five questions to jot down.

They are intentionally phrased openly. Not to test anyone, but because the quality of the answers tells you a lot about where you stand.

Question 1: How high is our financial exposure in the event of a major incident?

You expect a concrete number or range, not "that's hard to say." Anyone who has no idea has never quantified the risk. That is a problem.

Question 2: How quickly can we restore critical business processes after an attack?

Recovery Time Objective (RTO) should be a number, not a shrug. And the follow-up question: have we ever tested this, with a real simulation or tabletop exercise?

Question 3: What are we currently not protected against?

This is the most important question. Good security teams know which gaps they have. If the answer is "basically everything is covered": caution. No company is fully protected. Anyone who claims that has either not looked closely or wants to sell you something.

Question 4: How does our security budget relate to our risk exposure?

Not "is the budget high enough?" but: Have we established a relationship between what we spend and what we want to protect? If that connection is missing, the basis for every budget decision is missing.

Question 5: What would you do with 20% more budget, and what with 20% less?

This question may be the most revealing one. The answer shows whether your security team can prioritize. What is critical, what is "nice to have"? Anyone who cannot answer this question has no priority model. And a budget without a priority model is hard to defend.

We regularly help CFOs and executive teams have exactly these conversations, with the right framing, the right metrics, and a clear view of the financial dimension of cyber risk.

If you want to know what your current security setup looks like from a business perspective, take a look at our cybersecurity consulting. No tech lecture, no product pitch, just an honest assessment.